Millions of Customer Records Leaked at Panera Bread

The Panera Bread company website has been leaking customer data since at least last August. Leaked data from the PaneraBread.com website includes names, email and physical addresses, birthdays and last four digits of the customer’s credit card number. The leaked data appears to belong to any Panera customer who signed up for an account to order food online at the website.

According to Brian Krebs at KrebsOnSecurity, security researcher Dylan Houlihan notified Panera that data was leaking from the website on August 2, 2017. At first the company dismissed the report, but just a week later was able to verify the report and claimed it was working on a fix. According to Krebs, more than 7 million customer records could have leaked.

Then on Monday, the situation got weird. According to Krebs:

Fast forward to early [Monday] afternoon — exactly eight months to the day after Houlihan first reported the problem — and data shared by Houlihan indicated the site was still leaking customer records in plain text. Worse still, the records could be indexed and crawled by automated tools with very little effort.

Panera Bread was sold to Europe’s JAB Holdings in April 2017 for $7.5 billion. JAB also owns Krispy Kreme, Caribou Coffee and Keurig among its fast stable of brands, many of which are food and beverage related.

After being notified by Krebs on Monday that the website was still leaking data, Panera shut the site down and claims to have fixed the problem. The company also released a statement to Fox News stating that only 10,000 customer records were exposed. But according to another data security firm cited by Krebs, the actual number of leaked records “appears to exceed 37 million.”